 Hello everyone. My name is Abhishek Kesarvani. I am going to present exhaustive search for various types of MDS matrices. This is joint work with Santanu Sarkar, HNED, Venkatesh Varloo. So, let's start. So, the outline of my talk are following. First, we give the introduction of my talk where we talk about what is MDS matrices, what are the existing ones in search of MDS matrices. Second, we talk about the exhaustive search, our idea of constructing MDS matrices. Then, at last, we will give our result. Okay, let's start. What is MDS matrices? So, MDS matrices are used in the design of diffusion layer in many block cipher and hash function. Linear diffusion layer or linear transformation with the property that a small changes in its output input cause a significant change in output. The term MDS originate from coding theory, code for which the singleton boundaries met are called as maximum distance separable codes. Okay, the MDS matrices are said to be perfect diffusion layer. MDS, the entries of MDS matrices, MDS matrix cannot be zero element. Therefore, MDS matrices cannot be sparse. Here, we mainly focused on the hardware implementation of MDS matrices rather than software. The implementation cost of the MDS matrices is the minimum number of XOR gate required to evaluate the output vector when multiplied within given matrix. Okay, in search of efficiently implementable MDS matrices, there have been many work proposed. To calculate the cost of MDS matrices, initially two matrix have been proposed. Here, we consider two matrix. The first one is direct XOR count and the second one is sequential XOR count. Here, we look at the cost of each entries of the MDS matrices, then we calculated the whole cost of the implementation of MDS matrix. So, in sense, we have looked locally, but in recent work, if we see recently our focus have been shifted to global optimization tool. However, global optimization tool rely on improving the XOR gates of already known MDS matrices and these adopt some heuristic approach to find it. Though finding of optimal implementation for a given matrix is MP hard, but these tools provide better implementation if we compare with the local optimization. Okay, now we will move on what are the existing work. So, in literature, if we see most of the existing work implies some ad hoc technique to search for efficient MDS matrices. They, in fact, they have searched over some low cost, low XOR count element, and in some case, people have also searched for lightweight structure types of matrices. But doing this, we also have some limitation, like you have not searched for a full domain, but over some subsets of domain. So, there may be a chance that some better MDS matrices may be out of reach. Also, another problem is that, suppose there does not exist a MDS matrices of particular type, then in that case, putting your effort in search of MDS matrices is a futile. So, what is our idea? Our idea is to do exhaustive search and exhaustive search examine every possible solution inside the search reason and thus give the best possible solution. Please note that exhaustive search is not possible by nav approach, which we will see in next coming slide. So, how we are going to do that? Okay, first of all, we will restrict the search to a smaller domain by using some linear algebra tool, then we will apply some space-time trade-off technique to find the solution in the restricted domain. Once we have the set of all the solution in the restricted domain, we can generate all the solution from the set of restricted domain. To a full domain by using some lemma, some results. Okay. Now, by doing exhaustive search, what we have advantages is that in case if MDS matrices exist, the best possible, the best matrices which have the least optimal code with respect to some efficient matrix can be identified. Because you know the set of all MDS matrices of particular type, so you can apply any matrix that is suitable for hardware implementation. Then the second advantage we have that if MDS matrix do not exist, then we should not waste our effort and time in search of MDS matrices of particular type. Okay, so through exhaustive search, we can avoid such unsuccessful attempt in finding that. Okay, now comes to what is MDS matrix. So we follow the usual intuition here, where the main point is to observe that M is the ring of M cross N matrices over binary field. And we have considered a block MDS block matrices over M. So MMM denotes the set of N cross N block matrix matrices over MN. A matrix over a field is said to be MDS if and only if, if every square some matrix of M is non-singular. Similarly, we can define a block matrix is said to be MDS if every square block some matrix of M is non-singular. Okay, so as I said earlier that exhaustive search is not possible throughout NAV approach. We will show it by considering one example of a 8 cross 8 circular MDS matrices over general linear group. So we have eight elements, C0 to C7, all our element from general linear GL4F2. As we see the size of the search space is approximately 2 to the power 112 as the cardinality of GL4F2 is approximately equal to 2 to the power 14. As we know that the cardinality of this general linear group is have contained element 20,001 and existing element. Okay, now we will see our result. Okay, as we are considering MDS matrices over general linear group set of all M cross M matrices over binary field. So here, suppose this is a group, then we can define a similarity relation over this group, then this will be an equivalence relation. So, it will give an equivalence class. These equivalence class we say as conjugacy classes. So, the whole group GL4F2 will be will be divided into four distinct equivalence class. Each class have their representatives. So, we have to deal with the representative representatives and we can ignore others. Okay. So, suppose we have picked one element from some equivalent conjugacy class A. So, we have a subgroup of group G, that is said as a centralizer of A, it is the collection of all the element of a group G, which commute with A. Again, we can consider the action of CGA on G by conjugation. This will be a equivalence relation and we call the equivalence class as a restricted conjugacy class, because all all this started with a point A. So, again, what we have, we have a general linear group. It will be divided into a restricted conjugacy class. Therefore, we have different colors representative representing the distinct a restricted conjugacy class. Okay. So, we have a conjugacy class and restricted conjugacy class. We will use some properties of MDS matrices to reduce our search space. So, suppose M and MDS are two block matrices. We will say they are diagonally equivalent if there exist a P and Q are block diagonal matrix or general linear group. Block diagonal matrix, which have the diagonal increase coming from m cross m non-segular matrices. And then we will see, we will say M and MDS are diagonally equivalent. We have one lemma that says if M is MDS, if M and MDS are diagonally equivalent, if M is MDS, if and only if MDS is MDS. The loop is quite trivial because we can have a one-to-one map from the set of all some matrices of MDS to the some matrices of M. So, if M is MDS, this obviously implied MDS is MDS. Okay. Now, we are going to show our exhaustive search for the case of circulant MDS matrices. So, how we are going to do that. So, suppose this is called as a CDAS, this is my restricted circulant matrices. This is my restricted circulant matrix. So, how we are restricted is that we have chosen any three distinct integer IGK. And I'm making as CI as identity and as A, which is coming from conjugacy class and CKSB, which is coming from a restricted conjugacy class. And any circulant MDS matrix C can be written as in terms of restricted circulant MDS matrix CDAS by this where diagonal P will be multiplied on the left hand side and diagonal Q will be multiplied on the right hand side where P and Q are the element of a non-singular m cross m matrices. So, what is main point to offset that. So, in fact, only we are restricting the three element IGK and the rest is varying over the full domain GLMF2. So, main point to offset that it is enough to search the circulant MDS matrices over restricted domain CDAS. And we can apply the space of space time tradeoff technique to get the solution over restricted domain. And one can generate all the solution C by multiplying P on the left hand side and multiplying Q on the right hand side. So, we now illustrate the main ideas of offset technique by concentrating an example of 8 cross 8 circulant MDS matrices over general linear flow. Okay, suppose we are given a circulant MDS matrix of order 8. So, first of all, we choose C0 as identity element, C4 as the conjugacy coming from conjugacy classes, C2 is coming from a restricted conjugacy class and the rest is varying over general linear flow. So, what we need to be sure that it should be a MDS matrix. So, we need to be sure that all it's all to cross to some matrix would be non-sular. So, once we learn, we store the choices of CI, we satisfy the given condition and the rest some matrices of order 3 we check ridiculously using the same formula, using the by writing in terms of the 2 cross 2 some matrices. So, the main point is to observe that the number of circulant MDS matrices over restricted domain is just, we have only 32. And we extend the matrix C by multiplying a diagonal P inverse on the left hand side and diagonal P on the right hand side. So, we called as extended set. So, extended set we have this many number of circulant MDS matrices. Now, if we observe that C here is still there is an identity element in the first row. So, we need to multiply with a Q on the left hand side of C. Therefore, the set of total 8 cross 8 circulant MDS matrices is this big number. Now, we are going to see our overview of our result. So, here we have considered four types of matrices, circulant Hadamard companion and its past BSI. So, the problem of constructing in-built tree circulant MDS matrices of order 6 and 8 are given in at all paper in FSC 2016. So, we have got the negative result that we don't have any in-built tree circulant MDS matrix of order 6 and 8. And the main result here we got that we have got an in-built tree MDS matrices obtained from companion matrix. So, this is important because there was a result in Gupta at all paper that state that there does not exist a recursive in-built tree MDS companion matrices over field of characteristic 2. But we have got in-built tree recursive MDS matrices, MDS companion matrices over a set of 4 cross 4 non-singular binary matrices. Similarly, for the case of this past BSI, there was a problem posed in two at all paper in Africa Crip 2018, whether there exist a past BSI matrix of higher order like 5, 6, 7, 8. So, we have a negative result that we don't have any MDS recursive MDS matrices of type sparse BSI. So, note that MDS we have considered MDS matrices over in general linear group as this group is a superset of finite field as every finite field element can be also interpreted as the element of general linear group. In fact, every non-zero element of a finite field can be seen as an element of a general linear group. We not only consider the MDS matrices over set of all M cross M non-singular matrices but also over a field we have considered that we have constructed recursive MDS matrices from sparse BSI matrices over finite field. So, in fact, any in general sparse BSI matrix is have its structure is this any n cross n sparse BSI matrix is given by this, then we have restricted and we have a restricted sparse BSI matrix. S dash is given by this, observe that the element below the diagonal we have made we can make one and we can restrict the a naught also where a naught will be varies over alpha to the power s for s varies from 0 to 2 to t where n equals to 2 to the power L t. So, what we need we need to search over only restricted domain and set of all sparse BSI matrix can be calculated from the this result. You need to just multiply a diagonal matrix D inverse on the left hand side and D on the right hand side and you can generate the set of all sparse BSI matrix from the set of sparse BSI matrix who are restricted domain. Okay, so we have performed the experiment result. And we have find out the number of N MDS sparse BSI matrix of different size. So, main point is to observe that in paper three, two at all in Africa script. This was a question post that whether there exist a 8 cross 8 MDS matrix or 2 to the power 8, but through by our result we have we now claim that there is no such MDS matrix exist. Okay, overall, what is my summary of the talk is so we have considered the MDS matrix or as a block matrix. Now, we, we have provided MDS matrix in some case which was not known, just like we have given a in military and companion MDS matrices or non singular matrices. We also have given some non, you also establish some non existence of MDS matrices for some parameter choices. These results are relevant because people have tried a hard to search for MDS matrices, which even don't exist. Also, we give a list of MDS matrices with the least con with the least cost with respect to these are and a short matrix. Our base list of MDS matrix are available in this link. And we give a base list and with using our result you can generate a set of all MDS matrices of particular type. And once you have a set of all MDS matrices, then with using suitable platform implementation, we can find the best one. So all the proofs and the results presented here are in general. So, and therefore it can be applied to other types of matrices. Okay. Thank you.